Debunking the myths of DNS security

For years, we’ve been pioneering the use of DNS to enforce security. We recognized that DNS was often a blind spot for organizations and that using DNS to enforce security was both practical and effective. Why? Because DNS isn’t optional. It’s foundational to how the internet works and and is used by every single device that connects to the network. If you’re considering using DNS for security, it’s important to understand the facts so you can combat the fiction.

Myth: DNS can only provide limited insights for threat intelligence

Thanks to DNS, we have a view of the internet that is unlike any other security provider. Using a combination of historical and live data from over 140B+ daily requests across 90 million daily users, we apply multiple statistical and machine-learning models. We then derive meaningful insights from this diverse data set, which allows us to:

Associate attacks with specific domains, IPs, ASNs, file hashes, and email addresses in order to map out attacker infrastructure.

Use WHOIS record data to see domain ownership and uncover other malicious domains registered with the same contact information

See suspicious spikes in global DNS requests to a specific domain.

Predict where future attacks might be staged by identifying related domains and IPs that are associated with malware.

While it’s true that DNS providers, their infrastructure or their products can be impacted by various threats, those aren’t things that keep our customers up at night.

That’s because we’ve taken numerous steps to ensure our infrastructure and products are protected, including:

Designing our global network using best practices and resilient architectures to withstand larger attacks without users experiencing any performance degradation.

Overprovisioning machine resources for each resolver at each site to be an order of magnitude over target capacity. We use a BGP and IP Anycast infrastructure to distribute the effects of DDoS attacks globally over our data centers with public resolvers.

Umbrella also has several features that minimizes the effects from malicious clients sending DNS traffic through our infrastructure, including:

Rate-limiting DNS queries for ‘ANY’ records

Rate-limiting DNS responses with extremely long ‘TXT’ records

Rate-limiting duplicate DNS queries that exceed a threshold

Blacklisting domain names with hundreds of ‘A’ records

Monitors which client IPs send the most queries and using the most bandwidth

To protect against poisoned DNS caches, Umbrella adds entropy to nameserver requests using several methods, including:

Using new random source ports for each upstream query

Using random DNS transaction IDs for each upstream query

Shuffling the order of authoritative nameservers used for each upstream query

For DNS tunneling services:

We have a security category within Umbrella specifically designed to block DNS tunnelling services. If your organization is concerned about users leveraging DNS tunnelling, simply enable the category within the policy wizard. This will prevent users from accessing a number of DNS Tunneling services.

Myth: DNS security alone is enough to protect an organization

Actually, this statement is a myth! Relying solely on DNS for your security is not enough — some sites require deeper inspection. For Umbrella, we use DNS as a starting point to get traffic to our cloud platform and enforce security. With DNS, we can route safe requests and block malicious domains — unlike other proxies that have to intercept every single request. Risky domains (domains that we can’t classify as safe or malicious) require us to go beyond DNS. Using our cloud-based intelligent proxy, we leverage Cisco Talos threat intelligence and other third-party feeds to determine if a URL is malicious as well as check file signatures and reputation. Using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP), we’re able to inspect files attempted to be downloaded from risky sites. DNS resolver services and the intelligent proxy are just two components of Umbrella, our secure internet gateway.

Here at Cisco, we’ll continue to uncover the truth and ensure that our users can connect with confidence, anywhere they work. If you’re interested in seeing how your organization can start using DNS (and more!) for security, visit signup.umbrella.com to start a free trial of Umbrella.

53 is the most tricky protocol ... needed for simplicity and can easily bring down any service .. securing this, is of paramount importance....
this mice flow can create havoc if not treated with care !!! :-)

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.